Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th April 2009, 23:25
doughold doughold is offline
Junior Member
 
Join Date: Sep 2008
Posts: 19
Thanks: 0
Thanked 2 Times in 2 Posts
Default Custom Email Address for SSL Certificate Generation

I am trying to generate an ssl cert for www.domain.com and the email is defaulting to user@www.domain.com in the csr. Is there any way to change this so that I can specify what email address is used in the CSR?
Reply With Quote
Sponsored Links
  #2  
Old 29th April 2009, 10:34
tebokkel tebokkel is offline
Member
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 96
Thanks: 0
Thanked 9 Times in 9 Posts
Default

I use this for self-signed certificates.
Alternative: get identified by CACert and get certificates there.

(not: accidently I used cacert as name for my own CA, it's the CA certificate after all.. )

Code:
pizza CA # ls -l
total 64
-r-------- 1 root root 1513 Jul 29  2007 cacert.pem
-rw-r--r-- 1 root root 2800 Dec 13 13:50 cert.pem
-rw-r--r-- 1 root root  239 Dec 13 13:50 index.txt
-rw-r--r-- 1 root root   20 Dec 13 13:50 index.txt.attr
-rw-r--r-- 1 root root   21 Jul 29  2007 index.txt.attr.old
-rw-r--r-- 1 root root  117 Jul 29  2007 index.txt.old
-rwxr-xr-x 1 root root  237 Jul 29  2007 makeCSR.sh
drwxr-xr-x 2 root root 4096 Dec 13 13:50 newcerts
-rw-r--r-- 1 root root 2075 Jul 29  2007 openssl.cnf
dr-x------ 2 root root 4096 Nov 13 16:32 private
drwxr-xr-x 2 root root 4096 Dec 13 13:50 public
-rwxr-xr-x 1 root root  358 Jul 29  2007 renew.sh
drwxr-xr-x 2 root root 4096 Nov 13 16:32 requests
-rw-r--r-- 1 root root    3 Dec 13 13:50 serial
-rw-r--r-- 1 root root    3 Jul 29  2007 serial.old
-rwxr-xr-x 1 root root  426 Jul 29  2007 signCSR.sh

pizza CA # cat openssl.cnf 
# 
# OpenSSL configuration file. 
#
#
# Establish working directory. 
dir = . 

[ ca ] 
default_ca = CA_default 

[ CA_default ] 
serial = $dir/serial 
database = $dir/index.txt 
new_certs_dir = $dir/newcerts 
certificate = $dir/cacert.pem 
private_key = $dir/private/cakey.pem 
default_days = 365 
default_md = md5 
preserve = no 
email_in_dn = no 
nameopt = default_ca 
certopt = default_ca 
policy = policy_match 

[ policy_match ] 
countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 

[ req ] 
default_bits = 1024 # Size of keys 
default_keyfile = key.pem # name of generated keys 
default_md = md5 # message digest algorithm 
string_mask = nombstr # permitted characters 
distinguished_name = req_distinguished_name 

[ req_distinguished_name ] 
# Variable name   Prompt string 
#----------------------   ---------------------------------- 
0.organizationName = Organization Name (company) 
organizationalUnitName = Organizational Unit Name (department, division) 
emailAddress = Email Address 
emailAddress_max = 40 
localityName = Locality Name (city, district) 
stateOrProvinceName = State or Province Name (full name) 
countryName = Country Name (2 letter code) 
countryName_min = 2 
countryName_max = 2 
commonName = Common Name (hostname, IP, or your name) 
commonName_max = 64 

# Default values for the above, for consistency and less typing. 
# Variable name   Value 
#------------------------------   ------------------------------ 
0.organizationName_default = Ingenieursbureau Te Bokkel
organizationalUnitName_default = System Administration
localityName_default = Apeldoorn
stateOrProvinceName_default = Gelderland
countryName_default = NL
emailAddress_default = hostmaster@tebokkel.com

[ v3_ca ] 
basicConstraints = CA:TRUE 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid:always,issuer:always 

[ v3_req ] 
basicConstraints = CA:FALSE 
subjectKeyIdentifier = hash 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 


pizza CA # cat makeCSR.sh 
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -z "$2" ]; then
        openssl req -new -nodes -keyout private/$1.key -out requests/$1.csr -config ./openssl.cnf
else
        echo "Usage: $0 host.domain.tld"
        exit 1
fi


pizza CA # cat signCSR.sh 
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -r "requests/$1.csr" ]; then
        openssl ca -out cert.pem -config ./openssl.cnf -infiles requests/$1.csr
        if [ $? -eq 0 ]; then
                openssl x509 -in cert.pem -out public/$1.crt.pem 
                echo "Succesfull! Please take private/$1.key.pem and public/$1.crt.pem"
        fi
else
        echo "Usage: $0 host.domain.tld"
        echo "(CSR should exist in requests directory)"
fi


pizza CA # cat renew.sh 
#!/bin/sh

if [ "$1" -a -r "public/$1.crt.pem" ]; then
        openssl ca -revoke public/$1.crt.pem -config ./openssl.cnf
        if [ $? -eq 0 ]; then
                echo
                echo "Revoked, now signing a new certificate!"
                echo
                ./signCSR.sh $@
        else
                echo "Revocation failed. Aborting.."
                exit 1
        fi
else
        echo "Usage: $0 host.domain.tld for which a certificate exists"
        exit 1
fi
pizza CA #
Reply With Quote
  #3  
Old 29th April 2009, 10:38
tebokkel tebokkel is offline
Member
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 96
Thanks: 0
Thanked 9 Times in 9 Posts
Default

BTW, the answer to your question is in the emailAddress_default line in the openssl.cnf.
I just dumped all scripts that work together with it..

Paul
Reply With Quote
  #4  
Old 1st May 2009, 00:45
doughold doughold is offline
Junior Member
 
Join Date: Sep 2008
Posts: 19
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Thanks for the script, I'll keep it in my repertoire. However, I probably should have made myself more clear in that I am getting a cert from Godaddy and I don't want to self-sign it. Is there a reason that this option isn't available in the UI of ISPConfig?
Reply With Quote
  #5  
Old 1st May 2009, 12:01
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,497
Thanks: 813
Thanked 5,263 Times in 4,127 Posts
 
Default

If you want to make a feature request for this then please post it as feature request to the bugtracker.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hotmail rejects outgoing email nzimas Server Operation 3 1st May 2009 03:39
Setting up a new server - Suse 11.1 londonman Server Operation 34 10th April 2009 13:16
UebiMiau webmail adding @localhostname to email address except first address. Kamran Shah Installation/Configuration 5 11th October 2005 17:01


All times are GMT +2. The time now is 12:20.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.